Breach of the Month, September 2017

Every Friday the SS8 Twitter feed features a notable breach, leak, or hack as our pick for the SS8 #breachoftheweek. At the end of every month, our engineers take a look at each of these ‘finalists’ and select one outstanding breach as our #BreachOfTheMonth pick. Which did we choose for September? This month’s breach threat analysis features the thoughts of engineer Akshay Nayak:

Canoe.ca breach:

Entertainment and news website Canoe.ca was the victim of a data breach that had 1 million user details stolen from their database. These details were for all users from year 1996 to the year 2008 and included names, emails, addresses and phone numbers.

Overseas adversaries send ransom letter to local high school:

Hackers from the TheDarkOverlord — an overseas hacking group — were able to hack Columbia High School’s IT infrastructure. Once they had stolen important data, they emailed a 7 page ransom letter to the superintendent and members of the school board. They asked for a certain sum of money in bitcoins in return for deleting the stolen data and not releasing it publicly.

Deloitte Breach:

Deloitte, one of the largest accounting firms in the world got breached towards the end of 2016, around November. Even though the breach happened late 2016, it was not detected until the March of this year. The compromised data included usernames, passwords, business plans and confidential data of US companies as well as governmental agencies. The cause of the breach was an attacker breaking into one of the company’s email servers and gaining control of the administrator’s account. Since multi-factor authentication was not enabled on this account, the administrator was not notified.

And the winner is… quite obviously…

The Equifax Breach

In terms of the sheer number of compromised records, the Equifax breach boasts a big number i.e. 145.5 million (based on the final results of the investigation) but this number pales in comparison to the Yahoo breach which according to the latest findings, is around 3 billion accounts!

However, the severity and impact of the Equifax breach exceeds that of any other breach that happened not only this month but the entire 2017 (so far). The cause of this is the nature of the PII (Personally Identifying Information) that was compromised. This could have far reaching consequences for the affected users in which heading the top of the list is identity theft. In fact, given how only a few months are remaining till end of this year, this could very well be the Breach of the Year.

As mentioned in the breach summary, the details that were compromised included names, addresses, emails, SSNs and Driving license numbers. This was not the only information that was compromised. The hackers also stole 209K credit card numbers and 182K documents containing personal information to be used in resolving disputes.

The vulnerability that was exploited and eventually led to all the sensitive data being stolen was in one of the component the Apache Struts Framework. It has a CVE id of CVE-2017-5638. The affected component of struts was the Jakarta multipart parser – a library that handles http file uploads. The exception handling and error message generation part of the vulnerable component had a bug which allowed attackers to execute code remotely. A patch for this vulnerability was released on March 9. Given how severe this vulnerability was, it was a huge oversight on the part of vulnerability management at Equifax for failing to install the patch for a good 2 months or so before the breach eventually happened. One thing to note here was that not only was this vulnerability extremely severe (it had a CVSS score of 10) but there was a proof of concept exploit and even a Metasploit module available shortly after the vulnerability was disclosed. In fact, the upload functionality did not even need to be enabled and the very presence of the vulnerable library was enough for remotely executing code on the server.

Equifax created a website where users can find out if their details were stolen and even enroll for their credit monitoring and protection services. This post by Brian Krebs does an excellent job explaining the impact of the Equifax breach to end users and the steps they can take to thwart potential identity thieves.

One very valuable lesson to learn from the Equifax breach relates to Vulnerability and Patch Management. 0-day vulnerabilities are definitely dangerous but in most cases, adversaries try to exploit those vulnerabilities for which patches are already available. Therefore, a good vulnerability and patch management plan is of paramount importance. In particular it should accommodate periodic weekly or monthly security updates in conjunction with out of band (OOB) security updates to patch vulnerabilities with critical severity and impact.

Akshay Nayak is a Threat Researcher at SS8 Networks. In addition to threat hunting, he likes listening to Bollywood music and playing FIFA. A big Game of Thrones fan, he is one of those people who likes the books better than the TV series.